|
|
8f9a28 |
From b9005f1a69ad989a50ffa68a41c959551f0cb158 Mon Sep 17 00:00:00 2001
|
|
|
8f9a28 |
From: Matej Habrnal <mhabrnal@redhat.com>
|
|
|
8f9a28 |
Date: Wed, 23 May 2018 11:15:38 +0200
|
|
|
8f9a28 |
Subject: [PATCH 1/1] Remove dependency on deprecated nss-pem
|
|
|
8f9a28 |
|
|
|
8f9a28 |
This commit removes dependency on nss-pem which is deprecated and
|
|
|
8f9a28 |
reimplements TLS client to use libnssckbi.so instead [1].
|
|
|
8f9a28 |
|
|
|
8f9a28 |
Resolves #1578427
|
|
|
8f9a28 |
|
|
|
8f9a28 |
[1] https://docs-old.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-TLS-Client-NSS.html#ex-Defensive_Coding-TLS-NSS-Init
|
|
|
8f9a28 |
|
|
|
8f9a28 |
Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
|
|
|
8f9a28 |
---
|
|
|
8f9a28 |
abrt.spec.in | 2 +-
|
|
|
8f9a28 |
src/plugins/abrt-retrace-client.c | 5 ++-
|
|
|
8f9a28 |
src/plugins/https-utils.c | 53 ++++++-------------------------
|
|
|
8f9a28 |
src/plugins/https-utils.h | 4 +--
|
|
|
8f9a28 |
4 files changed, 15 insertions(+), 49 deletions(-)
|
|
|
8f9a28 |
|
|
|
8f9a28 |
diff --git a/abrt.spec.in b/abrt.spec.in
|
|
|
8f9a28 |
index f423562c..eb6fdaf9 100644
|
|
|
8f9a28 |
--- a/abrt.spec.in
|
|
|
8f9a28 |
+++ b/abrt.spec.in
|
|
|
8f9a28 |
@@ -255,7 +255,7 @@ Summary: %{name}'s retrace client
|
|
|
8f9a28 |
Requires: %{name} = %{version}-%{release}
|
|
|
8f9a28 |
Requires: xz
|
|
|
8f9a28 |
Requires: tar
|
|
|
8f9a28 |
-Requires: nss-pem
|
|
|
8f9a28 |
+Requires: p11-kit-trust
|
|
|
8f9a28 |
|
|
|
8f9a28 |
%description retrace-client
|
|
|
8f9a28 |
This package contains the client application for Retrace server
|
|
|
8f9a28 |
diff --git a/src/plugins/abrt-retrace-client.c b/src/plugins/abrt-retrace-client.c
|
|
|
8f9a28 |
index ae5ef83b..d50d45fb 100644
|
|
|
8f9a28 |
--- a/src/plugins/abrt-retrace-client.c
|
|
|
8f9a28 |
+++ b/src/plugins/abrt-retrace-client.c
|
|
|
8f9a28 |
@@ -1281,8 +1281,7 @@ int main(int argc, char **argv)
|
|
|
8f9a28 |
|
|
|
8f9a28 |
/* Initialize NSS */
|
|
|
8f9a28 |
SECMODModule *mod;
|
|
|
8f9a28 |
- PK11GenericObject *cert;
|
|
|
8f9a28 |
- nss_init(&mod, &cert);
|
|
|
8f9a28 |
+ nss_init(&mod);
|
|
|
8f9a28 |
|
|
|
8f9a28 |
/* Run the desired operation. */
|
|
|
8f9a28 |
int result = 0;
|
|
|
8f9a28 |
@@ -1334,7 +1333,7 @@ int main(int argc, char **argv)
|
|
|
8f9a28 |
error_msg_and_die(_("Unknown operation: %s."), operation);
|
|
|
8f9a28 |
|
|
|
8f9a28 |
/* Shutdown NSS. */
|
|
|
8f9a28 |
- nss_close(mod, cert);
|
|
|
8f9a28 |
+ nss_close(mod);
|
|
|
8f9a28 |
|
|
|
8f9a28 |
return result;
|
|
|
8f9a28 |
}
|
|
|
8f9a28 |
diff --git a/src/plugins/https-utils.c b/src/plugins/https-utils.c
|
|
|
8f9a28 |
index 7a22729b..7a9479ca 100644
|
|
|
8f9a28 |
--- a/src/plugins/https-utils.c
|
|
|
8f9a28 |
+++ b/src/plugins/https-utils.c
|
|
|
8f9a28 |
@@ -142,37 +142,6 @@ static const char *ssl_get_configdir()
|
|
|
8f9a28 |
return NULL;
|
|
|
8f9a28 |
}
|
|
|
8f9a28 |
|
|
|
8f9a28 |
-static PK11GenericObject *nss_load_cacert(const char *filename)
|
|
|
8f9a28 |
-{
|
|
|
8f9a28 |
- PK11SlotInfo *slot = PK11_FindSlotByName("PEM Token #0");
|
|
|
8f9a28 |
- if (!slot)
|
|
|
8f9a28 |
- error_msg_and_die(_("Failed to get slot 'PEM Token #0': %d."), PORT_GetError());
|
|
|
8f9a28 |
-
|
|
|
8f9a28 |
- CK_ATTRIBUTE template[4];
|
|
|
8f9a28 |
- CK_OBJECT_CLASS class = CKO_CERTIFICATE;
|
|
|
8f9a28 |
-
|
|
|
8f9a28 |
-#define PK11_SETATTRS(x,id,v,l) \
|
|
|
8f9a28 |
- do { \
|
|
|
8f9a28 |
- (x)->type = (id); \
|
|
|
8f9a28 |
- (x)->pValue=(v); \
|
|
|
8f9a28 |
- (x)->ulValueLen = (l); \
|
|
|
8f9a28 |
- } while (0)
|
|
|
8f9a28 |
-
|
|
|
8f9a28 |
- PK11_SETATTRS(&template[0], CKA_CLASS, &class, sizeof(class));
|
|
|
8f9a28 |
- CK_BBOOL cktrue = CK_TRUE;
|
|
|
8f9a28 |
- PK11_SETATTRS(&template[1], CKA_TOKEN, &cktrue, sizeof(CK_BBOOL));
|
|
|
8f9a28 |
- PK11_SETATTRS(&template[2], CKA_LABEL, (unsigned char*)filename, strlen(filename)+1);
|
|
|
8f9a28 |
- PK11_SETATTRS(&template[3], CKA_TRUST, &cktrue, sizeof(CK_BBOOL));
|
|
|
8f9a28 |
- PK11GenericObject *cert = PK11_CreateGenericObject(slot, template, 4, PR_FALSE);
|
|
|
8f9a28 |
- PK11_FreeSlot(slot);
|
|
|
8f9a28 |
- return cert;
|
|
|
8f9a28 |
-}
|
|
|
8f9a28 |
-
|
|
|
8f9a28 |
-static char *ssl_get_password(PK11SlotInfo *slot, PRBool retry, void *arg)
|
|
|
8f9a28 |
-{
|
|
|
8f9a28 |
- return NULL;
|
|
|
8f9a28 |
-}
|
|
|
8f9a28 |
-
|
|
|
8f9a28 |
void ssl_connect(struct https_cfg *cfg, PRFileDesc **tcp_sock, PRFileDesc **ssl_sock)
|
|
|
8f9a28 |
{
|
|
|
8f9a28 |
PRAddrInfo *addrinfo = PR_GetAddrInfoByName(cfg->url, PR_AF_UNSPEC, PR_AI_ADDRCONFIG);
|
|
|
8f9a28 |
@@ -411,7 +380,7 @@ char *http_join_chunked(char *body, int bodylen)
|
|
|
8f9a28 |
return strbuf_free_nobuf(result);
|
|
|
8f9a28 |
}
|
|
|
8f9a28 |
|
|
|
8f9a28 |
-void nss_init(SECMODModule **mod, PK11GenericObject **cert)
|
|
|
8f9a28 |
+void nss_init(SECMODModule **mod)
|
|
|
8f9a28 |
{
|
|
|
8f9a28 |
SECStatus sec_status;
|
|
|
8f9a28 |
const char *configdir = ssl_get_configdir();
|
|
|
8f9a28 |
@@ -422,21 +391,19 @@ void nss_init(SECMODModule **mod, PK11GenericObject **cert)
|
|
|
8f9a28 |
if (SECSuccess != sec_status)
|
|
|
8f9a28 |
error_msg_and_die(_("Failed to initialize NSS."));
|
|
|
8f9a28 |
|
|
|
8f9a28 |
- char *user_module = xstrdup("library=libnsspem.so name=PEM");
|
|
|
8f9a28 |
- *mod = SECMOD_LoadUserModule(user_module, NULL, PR_FALSE);
|
|
|
8f9a28 |
- free(user_module);
|
|
|
8f9a28 |
- if (!*mod || !(*mod)->loaded)
|
|
|
8f9a28 |
- error_msg_and_die(_("Failed to initialize security module."));
|
|
|
8f9a28 |
-
|
|
|
8f9a28 |
- *cert = nss_load_cacert("/etc/pki/tls/certs/ca-bundle.crt");
|
|
|
8f9a28 |
- PK11_SetPasswordFunc(ssl_get_password);
|
|
|
8f9a28 |
- NSS_SetDomesticPolicy();
|
|
|
8f9a28 |
+ // Initialize the trusted certificate store.
|
|
|
8f9a28 |
+ char module_name[] = "library=libnssckbi.so name=\"Root Certs\"";
|
|
|
8f9a28 |
+ *mod = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);
|
|
|
8f9a28 |
+ if (*mod == NULL || !(*mod)->loaded)
|
|
|
8f9a28 |
+ {
|
|
|
8f9a28 |
+ const PRErrorCode err = PR_GetError();
|
|
|
8f9a28 |
+ error_msg_and_die("error: NSPR error code %d: %s\n", err, PR_ErrorToName(err));
|
|
|
8f9a28 |
+ }
|
|
|
8f9a28 |
}
|
|
|
8f9a28 |
|
|
|
8f9a28 |
-void nss_close(SECMODModule *mod, PK11GenericObject *cert)
|
|
|
8f9a28 |
+void nss_close(SECMODModule *mod)
|
|
|
8f9a28 |
{
|
|
|
8f9a28 |
SSL_ClearSessionCache();
|
|
|
8f9a28 |
- PK11_DestroyGenericObject(cert);
|
|
|
8f9a28 |
SECMOD_UnloadUserModule(mod);
|
|
|
8f9a28 |
SECMOD_DestroyModule(mod);
|
|
|
8f9a28 |
SECStatus sec_status = NSS_Shutdown();
|
|
|
8f9a28 |
diff --git a/src/plugins/https-utils.h b/src/plugins/https-utils.h
|
|
|
8f9a28 |
index 8ff9aede..f0b167d3 100644
|
|
|
8f9a28 |
--- a/src/plugins/https-utils.h
|
|
|
8f9a28 |
+++ b/src/plugins/https-utils.h
|
|
|
8f9a28 |
@@ -61,7 +61,7 @@ int http_get_response_code(const char *message);
|
|
|
8f9a28 |
void http_print_headers(FILE *file, const char *message);
|
|
|
8f9a28 |
char *tcp_read_response(PRFileDesc *tcp_sock);
|
|
|
8f9a28 |
char *http_join_chunked(char *body, int bodylen);
|
|
|
8f9a28 |
-void nss_init(SECMODModule **mod, PK11GenericObject **cert);
|
|
|
8f9a28 |
-void nss_close(SECMODModule *mod, PK11GenericObject *cert);
|
|
|
8f9a28 |
+void nss_init(SECMODModule **mod);
|
|
|
8f9a28 |
+void nss_close(SECMODModule *mod);
|
|
|
8f9a28 |
|
|
|
8f9a28 |
#endif
|
|
|
8f9a28 |
--
|
|
|
8f9a28 |
2.17.0
|
|
|
8f9a28 |
|